HP Discovers Common Vulnerabilities in 10 IoT Devices

The opportunity to have many devices connected to the Web brings risk. An HP report finds 70 percent of IoT devices use unencrypted network services.

Internet of things security

The emerging world that is the Internet of things (IoT) offers consumers the opportunity to have all manner of devices connected to the Internet, but with great power to connect also comes great risks, according to a new study from Hewlett-Packard.

HP found a host of common vulnerabilities across 10 major IoT devices that it scanned for security risks.

HP is not specifically identifying the vendors or devices it scanned, according to Daniel Miessler, practice principal for Fortify on Demand at HP Fortify. The goal with the study was not to name and shame any individual vendor, but rather to point out the areas of risk that are present, he told eWEEK.

The results of the study show a shocking number of vulnerable devices from common issues that are well-known in the broader IT security market. HP found that 70 percent of the devices it scanned used unencrypted network services. When data is sent unencrypted over a network, it is possible for an attacker to intercept and read the data.

To add further insult to injury, 60 percent of the devices scanned by HP had an insecure Web interface due to the use of weak credentials as well as Cross Site Scripting (XSS) risks. HP also found that the majority of devices it scanned did not enforce strong password policies. Overall, HP found an average of 25 different vulnerabilities per IoT device it scanned.

HP didn't just scan the individual devices for security risk, it actually leveraged its own Fortify scanning software to look at the IoT devices and the cloud services that enable device management, Miessler said.

"We looked at the software with static analysis, but we're also running the software and seeing how it interacts with the back end," Miessler said. "You can't just look at one thing; the Internet of things is not one-dimensional."

For the most part, the primary flaws identified by HP are issues that are not new to the security world. Using encrypted transport and strong passwords, for example, have both long been considered part of the best practices landscape for all Internet facing applications.

The challenge for IoT, however, is the fact that multiple components are coming together in new ways. The IoT device itself typically connects into a mobile device, which might have its own set of vulnerabilities and security challenges, Miessler said. The device also has network traffic as well as cloud connectivity, which all need to be secured, as well.

"Each one of those touch points has vulnerabilities that you can write books about, but IoT is special in that it combines all those vulnerabilities together into one ecosystem," Miessler said. "You're taking all the vulnerabilities from already insecure spaces and rolling them into one."

Miessler suggests that vendors take the time to secure their devices, though there are things that users can do, too.

"You can put the IoT devices on another separate network," Miessler said."You should separate networks so that any IoT devices can't interact with other things on the protected network."

In that model of isolation if, for example, a hacker gets control of a user's device, whether it's a garage door or a light switch, they can't pivot to gain access to the rest of the network to steal the user's data.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.